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Abstract 

In this two-part paper, we consider the transmission of confidential data over wireless wiretap 
channels. The first part presents an information-theoretic problem formulation in which two legitimate 
partners communicate over a quasi-static fading channel and an eavesdropper observes their transmissions 
through another independent quasi-static fading channel. We define the secrecy capacity in terms of 
outage probability and provide a complete characterization of the maximum transmission rate at which 
the eavesdropper is unable to decode any information. In sharp contrast with known results for Gaussian 
wiretap channels (without feedback), our contribution shows that in the presence of fading information- 
theoretic security is achievable even when the eavesdropper has a better average signal-to-noise ratio 
(SNR) than the legitimate receiver — fading thus turns out to be a friend and not a foe. The issue of 
imperfect channel state information is also addressed. Practical schemes for wireless information-theoretic 
security are presented in Part II, which in some cases comes close to the secrecy capacity limits given 
in this paper. 
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I. Introduction 

The issues of privacy and security in wireless communication networks have taken on an increasingly 
important role as these networks continue to flourish worldwide. Traditionally, security is viewed as an 
independent feature addressed above the physical layer and all widely used cryptographic protocols (e.g. 
RSA, AES etc) are designed and implemented assuming the physical layer has already been established 
and is error free. 

In contrast with this paradigm, there exist both theoretical and practical contributions that support the 
potential of physical layer security ideas to significantly strengthen the security of digital communication 
systems. The basic principle of information-theoretic security — widely accepted as the strictest notion 
of security — calls for the combination of cryptographic schemes with channel coding techniques that 
exploit the randomness of the communication channels to guarantee that the sent messages cannot be 
decoded by a third party maliciously eavesdropping on the wireless medium (see Fig. O. 

The theoretical basis for this information-theoretic approach, which builds on Shannon's notion of 
perfect secrecy [4], was laid by Wyner [5] and later by Csiszar and Korner [6], who proved in seminal 
papers that there exist channel codes guaranteeing both robustness to transmission errors and a prescribed 
degree of data confidentiality. 

A general setup for the so called wiretap channel is shown in Fig. |2l In the original version, proposed 
by Wyner in [5], two legitimate users communicate over a main channel and an eavesdropper has access 




Fig. 1. Example of a wireless network with potential eavesdropping. Terminals T\ and T2 communicate with a base station S 
over a wireless medium (channels A and B). By listening to the transmissions of terminal T\ (through channel C), terminal T2 
may acquire confidential information. If Ti wants to exchange a secret key or guarantee the confidentiality of its transmitted 
data, it can exploit the physical properties of the wireless channel to secure the information by coding against Terminal T2 . 
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Fig. 2. In the wiretap channel problem, the goal of the legitimate users, Alice and Bob, is to communicate reliably over the 
noisy main channel, while ensuring that an eavesdropper, say Eve, is unable to obtain any information from the outputs of the 
wiretap channel. 



to degraded versions of the channel outputs that reach the legitimate receiver. In [7] it was shown that if 
both the main channel and the wiretap channel are additive white Gaussian noise (AWGN) channels, and 
the latter has less capacity than the former, the secrecy capacity (i.e. the maximum transmission rate at 
which the eavesdropper is unable to decode any information) is equal to the difference between the two 
channel capacities. Consequently, confidential communication is not possible unless the Gaussian main 
channel has a better signal-to-noise ratio (SNR) than the Gaussian wiretap channel. 

In the seventies and eighties, the impact of these works was limited, partly because practical wiretap 
codes were not available, but mostly because due the fact that a strictly positive secrecy capacity in the 
classical wiretap channel setup requires the legitimate sender and receiver to have some advantage (a 
better SNR) over the attacker. Moreover, almost at the same time, Diffie and Hellman [8] published the 
basic principles of public -key cryptography, which was to be adopted by nearly all contemporary security 
schemes. 

More recently, information-theoretic security witnessed a renaissance arguably due to the work of 
Maurer [9], who proved that even when the legitimate users (say Alice and Bob) have a worse channel than 
the eavesdropper (say Eve), it is possible for them to generate a secret key through public communication 
over an insecure yet authenticated channel. In [10] Maurer and Wolf showed that a stronger (and 
technically more convincing) secrecy condition for discrete memoryless channels yields the same secrecy 
rates as the weaker condition in [5] and [6]. A key ingredient for secret key generation over noisy channels 
is privacy amplification (see Bennett et al [11]), which provides Alice and Bob with the means to distill 
perfectly secret symbols (e.g. a secret key) from a large set of only partially secret data. This general 
approach is used and modified in Part II of this paper to develop efficient protocols for the Gaussian and 
quasi-static fading wiretap channel. 

In [12], Hero introduced space-time signal processing techniques for secure communication over 
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wireless links. More recently, Parada and Blahut [13] considered the secrecy capacity of various degraded 
fading channels. In a shorter prelude to some of the results in this paper [1], Barros and Rodrigues 
provided the first characterization of the outage secrecy capacity of slow fading channels and showed 
that in the presence of fading information-theoretic security is achievable even when the eavesdropper 
has a better average signal-to-noise ratio (SNR) than the legitimate receiver — without the need for 
public communication over a feedback channel. The ergodic secrecy capacity of fading channels was 
soon derived by Liang and Poor [14], and, independently, by Li et al. [15]. Power and rate allocation 
schemes for secret communication over fading channels were presented by Gopala et al. in [16]. Secure 
broadcasting over wireless channels is considered in [17]. 

Practical secrecy capacity-achieving codes for erasure channels were presented by Thangaraj et al. 
in [18]. LDPC codes were also shown by Bloch et al. [19] to be useful tools for reconciliation of 
correlated continuous random variables, with implications in quantum key distribution. A related scheme 
was presented by Ye and Reznik in [20]. Experimental results supporting the possibility of information- 
theoretic secret key agreement over wireless channels were reported by Imai et al in [21]. 

Secrecy systems with multiple users have also recently become an object of intense research. Csiszar 
and Narayan [22] presented the fundamental limits of secret key generation in multi-terminal setups. 
Secret key constructions for this problem are reported by Ye and Narayan in [23]. A detailed study of 
the multiple access channel with secrecy constraints between users was provided by Liang and Poor 
in [24]. Liu et al presented results for the same problem in [25] and, investigated in [26] also broadcast 
and interference channels with confidential messages. The Gaussian multiple access channel with an 
eavesdropper was studied in [27]. 

A. Our Contributions 

Motivated by the general problem of securing transmissions over wireless channels, we consider the 
impact of fading on the secrecy capacity. Our contributions in Part I are as follows: 

(a) an information-theoretic formulation of the problem of secure communication over wireless chan- 
nels; 

(b) a characterization of the secrecy capacity of single-antenna quasi-static Rayleigh fading channels 
in terms of outage probability; 

(c) a simple analysis of the impact of user location on the achievable level of secrecy; 

(d) a rigorous comparison with the Gaussian wiretap channel evidencing the benefits of fading towards 
achieving a higher level of security; 
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(e) a mathematical characterization of the impact of imperfect CSI about the eavesdropper's channel 
on the secrecy capacity; 

(f) a comparison between information-theoretic security techniques at the physical layer and classical 
cryptographic methods at higher layers of the protocol stack. 

Among the different conclusions to be drawn from our results perhaps the most striking one is that, in 
the presence of fading, information-theoretic security is achievable even when the eavesdropper's channel 
has a better average SNR than the main channel. 

B. Organization of the Paper 

The rest of the paper is organized as follows. First, Section JI] provides an information-theoretic 
formulation of the problem of secure communication over fading channels. Then, Section JII] analyzes 
the secrecy capacity of a quasi-static Rayleigh fading channel in terms of outage probability. The 
implications of channel state information are analyzed in Section JV] Finally, Section |V]compares classical 
cryptographic methods with information-theoretic security for wireless channels, and S ection IVll concludes 
the paper. 

II. Secure Communication over Quasi-Static Rayleigh Fading Channels 

A. Wireless System Setup 

Consider the wireless system setup depicted in Fig. |Jl A legitimate user, say Alice, wants to send 
messages to another user, say Bob. Alice encodes the message block into the codeword x" for 
transmission over the channel (the main channel). Bob observes the output of a discrete-time Rayleigh 
fading channel given by 

yM{i) = hM{i)x{i) +nM{i), 

where hM{i) is a circularly symmetric complex Gaussian random variable with zero-mean and unit- 
variance representing the main channel fading coefficient and nM{i) is a zero-mean circularly symmetric 
complex Gaussian noise random variable. 

A third party (Eve) is also capable of eavesdropping Alice's transmissions. In particular. Eve observes 
the output of an independent discrete-time Rayleigh fading channel (the wiretap channel) given by 

yw{i) = hw{i)x{i) +nw{i), 
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where hw{i) denotes a circularly symmetric complex Gaussian random variable with zero-mean and unit- 
variance representing the wiretap channel fading coefficient and nw{i) denotes a zero-mean circularly 
symmetric complex Gaussian noise random variable. 

It is assumed that the channels' input, the channels' fading coefficients and the channels' noises are 
all independent. It is also assumed that both the main and the wiretap channels are quasi-static fading 
channels, that is, the fading coefficients, albeit random, are constant during the transmission of an entire 
codeword = /iAf,Vi = l,...,n and hw{i) = hw,yi = l,...,n) and, moreover, independent 

from codeword to codeword. 

We take the average transmit power to be P, that is 

i=l 

and the average noise power in the main and the wiretap channels to be Nm and Nw, respectively. 
Consequently, the instantaneous SNR at Bob's receiver is 

7M(i) = P\hM{i)W^M = P\hM\^/NM = 1m 

and its average value is 

7m (i) = PE /Nm = PE [|/ia/|2] /Nm = 7m- 

Likewise, the instantaneous SNR at Eve's receiver is 

7vy(i) = P\hw{i)\VNw = P\hw\VNw = iw 

and its average value is 

7H.(i) = PE [\hw{i)\^] /Nw=PE [\hw\^] /Nw = iw 

Since the channel fading coefficients h are zero-mean complex Gaussian random variables and the 
instantaneous SNR 7 oc it follows that 7 is exponentially distributed, specifically 

p{im) = ^ exp ( - ^ ) , 7M > (1) 
7a/ V 7a// 

and 

P{lw) = ^ exp ( ) , 7VF > 0. (2) 
Iw V IwJ 
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Fig. 3. Wireless system setup. 



B. Problem Statement 

Let the transmission rate between Alice and Bob be i? = H{W'')/n, the equivocation ratqj or Eve's 
uncertainty be A = H{W''\Y^)/H{W''), and the error probability Ve = V{W^ / W"), where W'' 
denotes the sent messages and denotes Bob's estimate of the sent messages. 

In general, one is interested in characterizing the rate-equivocation region, that is, the set of achievable 
pairs {R' , d'). A pair {R' , d') is achievable if for all e > there exists an encoder-decoder pair such that 
R > R' — e, A > d' — e, and < e. Here, however, we are interested in characterizing the secrecy 
capacity Cg, that is, the maximum transmission rate i? at A = 1. 

In the rest of the paper, we will study the secrecy capacity of this wireless system for different 
channel state information (CSI) regimes. We will always assume that Bob has perfect knowledge of the 
main channel fading coefficient and that Eve also has perfect knowledge of the wiretap channel fading 
coefficient We will also always assume that Alice has perfect knowledge of the main channel fading 
coefficient. Note that these assumptions are realistic for this slow fading wireless environment: both 
receivers can always obtain close to perfect channel estimates and, additionally, the legitimate receiver 
can also feedback the channel estimates to the legitimate transmitter. However, we will assume various 

'Notice that the secrecy condition used here (and in [5], [7]) is weaker than the one proposed by Maurer and Wolf in [10], where 
the information obtained by the eavesdropper is negligibly small not just in terms of rate but in absolute terms. Unfortunately, 
it is unclear whether the techniques used for discrete memoryless channels in [10] can be extended for Gaussian channels, in 
particular information reconciliation and privacy amplification. Resolving this issue is part of our ongoing efforts. 

^By virtue of the independence of the main channel and the wiretap channel, there are no additional benefits/penalities if Bob 
knows the wiretap fading coefficient and/or Eve knows the main channel fading coefficient 
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regimes for Alice knowledge of the eavesdropper channel: 

(a) No knowledge of the wiretap channel fading coefficient; 

(b) Partial knowledge of the wiretap channel fading coefficient; 

(c) Perfect knowledge of the wiretap channel fading coefficient. 

Case 1 corresponds to the situation where Eve is a passive and malicious eavesdropper in the wireless 
network. Cases 2 and 3 correspond to the situation where Eve is another active user in the wireless 
network, so that, e.g. in a TDMA environment, Alice can estimate the wiretap channel during Eve 
transmissions. 

In the following sections, we will characterize the secrecy capacity in terms of outage events for the 
wireless system setup in Fig. \3\ 

III. Secrecy Capacity and Outage without CSI on the Eavesdropper's Channel 

In this section, we will consider the situation where the legitimate transmitter (Alice) knows nothing 
about the state of the eavesdropper's channel. However, we assume that the legitimate transmitter and 
receiver know the state of the main channel perfectly and that the eavesdropper also knows the state of 
the eavesdropper channel perfectly (see Section 

Consequently, this section characterizes the secrecy capacity of a quasi-static Rayleigh fading channel 
in terms of outage probability. First, we consider a single realization of the fading coefficients and compute 
its instantaneous secrecy capacity. Then, we discuss the existence of (strictly positive) secrecy capacity 
in the general case, and build upon the resulting insights to characterize the outage probability and the 
outage secrecy capacity. 

A. Instantaneous Secrecy Capacity 

We start by deriving the secrecy capacity for one realization of a pair of quasi-static fading channels 
with complex noise and complex fading coefficients. 

For this purpose, we recall the results of [7] for the real-valued Gaussian wiretap channel, where it is 
assumed that Alice and Bob communicate over a standard real additive white Gaussian noise (AWGN) 
channel with noise power N]\i and Eve's observation is also corrupted by Gaussian noise with power 
Nw > Nm, i-fi- Eve's receiver has lower SNR than Bob's. The power is constrained according to 
n Sr=i ^ [^(^)^] ^ For tl^is instance, the secrecy capacity is given by 

Cs = Cm — Cw, (3) 
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where 

CM = ^log(l + £ 

is the capacity of the main channel and 

denotes the capacitjcl of the eavesdropper's channel. From this result, we can derive the following lemma 
which describes the instantaneous secrecy capacity for the wireless fading scenario defined in Section JI] 
Lemma 1: The secrecy capacity for one realization of the quasi-static complex fading wiretap-channel 
is given by 

_ J log (1 + 7m) - log (1 + 7iy) if 7A/ > 7w 
[ if 7A/ < jw 

Proof: Suppose that both the main and the wiretap channel are complex AWGN channels, i.e. trans- 
mit and receive symbols are complex and both additive noise processes are zero mean circularly symmetric 
complex Gaussian. The power of the complex input X is constrained according to i Yl7=i ^ [1^(^)1^] — 
P. Since each use of the complex AWGN channel can be viewed as two uses of a real-valued AWGN 
channel [28, Appendix B], the secrecy capacity of the complex wiretap channel follows from ^ as 

Cs = log (l + - log (l+ ^ 



NmJ V 
per complex dimension^. 

To complete the proof, we introduce complex fading coefficients for both the main channel and the 
eavesdropper's channel, as detailed in Section |lll Since in the quasi-static case and hw are random 
but remain constant for all time, it is perfectly reasonable to view the main channel (with fading) as a 
complex AWGN channel [28, Chapter 5] with SNR = ^'I^a/P/^m and capacity 

CM = \og(l + \hM? ^ 



Nm 

Similarly, the capacity of the eavesdropper's channel is given by 

Cm/ = log l^ + \hw?^ 

with SNR 7vy = P\hy/\'^ / . Thus, once again based on Q and the nonnegativity of channel capacity, 
we may write the secrecy capacity for one realization of the quasi-static fading scenario as (IHi. ■ 

^Unless otherwise specified, all logarithms are taken to base two. 

''Alternatively, this result can be proven by repeating step by step the proofs of [7] using complex-valued random variables 
instead of real-valued ones. 
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B. Probability of Strictly Positive Secrecy Capacity 

We will now determine the probability V{Cs > 0) of a strictly positive secrecy capacity between Alice 
and Bob. 

Lemma 2: For average signal-to-noise ratios and on the main channel and the wiretap channel, 
respectively, we have that 

V{Cs>0) = _ . (5) 

Proof: As explained in Section ITlI-AI for specific fading realizations, the main channel (from Alice 
to Bob) and the eavesdropper's channel (from Alice to Eve) can be viewed as complex AWGN channels 
with SNR 7j\/ and 7^1/, respectively. Moreover, from ^ it follows that the secrecy capacity is positive 
when 7Af > 7iy and is zero when 7j\/ < 7^1/. Invoking independence between the main channel and the 
eavesdropper's channel and knowing that the random variables 7jv/ and 7iy are exponentially distributed 
with probability density functions given by ([T|l and (|2l), respectively, we may write the probability of 
existence of a non-zero secrecy capacity as 

ViC, > 0) = V(ciM > 7M/) 

/ p{lM,7w)d-/wd'yM 
Jo 

00 />7aj 

/ p{lM)p{lw)d'ywd'yM 
Jo 

iM 



iM + IW 



It is also useful to express this probability in terms of parameters related to user location. 
Corollary 1: For distance (Im between Alice and Bob, distance dyy between Alice and Eve, and 
pathloss exponent a, we have that 

> 0) = 1 (6) 

1 + {(iM/aw) 

Proof: The corollary follows directly from the fact that ^j^j oc 1/c?^/ and 7^1/ oc l/d^y [29]. ■ 
Remark 1: Note that when -/m > 7^/ (or (Im < dw) then 'P{Cs > 0) « 1 (or V{Cs = 0) ^ 0). 
Conversely, when :$> (or dw ^ dj\/) then V{Cs > 0) (or V{Cs = 0) 1). It is also 
interesting to observe that to guarantee the existence of a non-zero secrecy capacity with probability 
greater than po then it follows from ^ and Q that 

7a/ ^ Po 



Iw 1 - Po 



10 



or 



dM ^ „ / 1 - Po 
dw \ Po ' 

In particular, a non-zero secrecy capacity exists even when 7^/ < or (Im > dw, albeit with probability 
less than 1/2. 

C. Outage Probability of Secrecy Capacity 

We are now ready to characterize the outage probability 



i.e. the probability that the instantaneous secrecy capacity is less than a target secrecy rate Rg > 0. The 
operational significance of this definition of outage probability is that when setting the secrecy rate Rg 
Alice is assuming that the capacity of the wiretap channel is given by C(y = Cm — Rs- As long as 
Rg < Cs, Eve's channel will be worse than Alice's estimate, i.e. Cw < C^, and so the wiretap codes used 
by Alice will ensure perfect secrecy. Otherwise, if Rg > Cg then Cw > C'-^ and information-theoretic 
security is compromised. 

Theorem 1: The outage probability for a target secrecy rate Rg is given by 



Von.{Rs) =V{Cg<Rg) 




(7) 



Proof: Invoking the total probability theorem. 



Vo^,{Rs) 



V{Cg < Rg I 7M > -/w)V{jM > -fw) 



+V{Cg <Rg\^M< lw)V{^M < iw) 



Now, from ([5]) we know that 



7m 



Consequently, we have 



Iw 



iM + lW 



On the other hand, we also have that 



V{Cg < Rg I 7A/ > iw) 
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P(log(l + 7j\/) - log(l + ^w) < Rs I 7M > 7w) 

V{-fM < (1 + 7ty) - 1 I 7M > 7iy) 

oo /■2«-(1+7h-)-1 

/ P(7M,7VK I 7M > 7iy)<i7vi/(^7M 

-'7w 



/^(7A/ > 7W) 



7m + 2^=7h/ V 7m 



and, since i?^ > 0, 



ViCs < Rs I 7M < 7w) = 1- 
Combining the previous five equations, we get 



7m 



VoM) = 1 - _ exp = . (8) 

7M + 2^^7iy V 7m / 

■ 

D. Outage Secrecy Capacity 

Another performance measure of interest is the e-outage secrecy capacity, defined as the largest secrecy 
rate such that the outage probability is less than e, i.e. 

7^out(aut(e)) = e • 

Although it is hard to obtain the outage secrecy capacity analytically — the outage probability is a 
complicated function of the secrecy rate — it is possible to compute its value numerically based on 

E. Asymptotic Behavior 

It is illustrative to examine the asymptotic behavior of the outage probability for extreme values of the 
target secrecy rate Rs. From ([7]) it follows that when Rs 0, 

7iy 



out ' 



7m + Iw 

and when Rs — > oo, we have that "Pout —>■ 1> such that it becomes impossible for Alice and Bob to 
transmit secret information (at very high rates). 

Also of interest is the asymptotic behavior of the outage probability for extreme values of the average 
SNRs of the main channel and the eavesdropper's channel. When 7^/ S> Jiy, equation ([7]) yields 

2^'-l' 



VoutiRs) ~ 1 - exp 
12 



7m 




Fig. 4. Outage probability versus 7^,^^, for selected values of 7^- and for a normalized target secrecy rate equal to 0.1. 
Normalization is effected with respect to the capacity of an AWGN channel with SNR equal to "^j^j. 



and in a high SNR regime Pout ~ (2 " — 1)/7m, i-e. the outage probability decays as 1/7^/. Conversely, 
when 7yi/ > 7^,/, 

Vo^,{Rs) ~ 1, 

and confidential communication becomes impossible. 

Fig. I?] depicts the outage probability versus 7^/, for selected values of 7^^ and for a normalized target 
secrecy rate equal to 0.1. Observe that the higher 7^^^ the lower the outage probabiUty, and the higher 
7v(/ the higher the probability of an outage. Moreover, if 7^^/ » t^*^ outage probability decays as 
1/7a/- Conversely, if 7^ ^ 7j\/ the outage probability approaches one. 

With respect to the asymptotic behavior of the outage secrecy capacity, it is not difficult to see that 
Cout yields Pout ^ Iw / {1m + Iw)' and when Cout ^ 00, we have Pout ^ 1- 

The impact of the distance ratio on the performance is illustrated in Fig. |5l which depicts the outage 
probability versus dw/du, for selected values of 7^,/ and for a normalized target secrecy rate equal 
to 0.1. The pathloss exponent is set to be equal to a typical value of 3 [29]. When dw/du — > c>o (or 
ImMw 00)' we have that Pout ^ 1 - exp(-(2^- - I) Mm)- If dw/du (or ^mMw ^ 0)' ^en 

T^out ^ 1. 
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F. Fading Channels versus Gaussian Channels 

It is important to emphasize that under a fading scenario — in contrast with the Gaussian wiretap 
channel [7] — the goal of a strictly positive (outage) secrecy capacity does not require the average SNR 
of the main channel to be greater than the average SNR of the eavesdropper's channel. This is due 
to the fact that in the presence of fading there is always a finite probability, however small, that the 
instantaneous SNR of the main channel 7m is higher than the instantaneous SNR of the eavesdropper's 
channel 

Specifically, the results in Section |lll] demonstrate that a non-zero outage secrecy capacity requires 
1m > 1w ^out < 0.5, but we may have 7j^/ < 7^^/ for Voui > 0.5. In other words, if we are willing 
to tolerate some outage, then there is no obstacle to information-theoretic security over wireless fading 
channels. In fact, it is possible to trade off outage probability for outage secrecy capacity: a higher outage 
secrecy capacity corresponds to a higher outage probability, and vice versa. 

It also turns out that the outage secrecy capacity of a fading channel can actually be higher than the 
secrecy capacity of a Gaussian wiretap channel. Consider the examples shown in Fig. |6] and Fig. [71 
which depict the normalized outage secrecy capacity versus 7^^, for selected values of 7^^, and for an 
outage probability of 0.1 and 0.75, respectively. The normalized secrecy capacity of the Gaussian wiretap 
channel with main channel SNR equal to 7^^^ and wiretap channel SNR equal to ^1^° included for 



norm. R = 0.1 




Fig. 5. Outage probability versus dw/dM, for selected values of ^^.j and for a normalized target secrecy rate equal to 0.1. 
Normalization is effected with respect to the capacity of an AWGN channel with SNR equal to ^J^J. 
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comparison. Observe that in the Gaussian case the secrecy capacity is zero when 7^/ < In contrast, 
in the case of Rayleigh fading channels the outage secrecy capacity is non-zero even when 7^^^ < 7^5/ (as 
long as "Pout > 0.5). More importantly, the outage secrecy capacity in the Rayleigh fading case exceeds the 
secrecy capacity of the equivalent Gaussian wiretap channel, for higher outage probabilities. These key 
observations are also corroborated by Fig. |Sl which compares the normalized (outage) secrecy capacity 
for fading channels to the secrecy capacity of Gaussian channels, for various outage probabilities. 




Fig. 6. Normalized outage secrecy capacity versus 7^^, for selected values of 7jy, and for an outage probability of 0.1. Thinner 
lines correspond to the normalized outage secrecy capacity in the case of Rayleigh fading channels, while thicker lines correspond 
to the secrecy capacity of the Gaussian wiretap channel. Normalization is effected with respect to the capacity of an AWGN 
channel with SNR equal to 7^,^^. 



Finally, it is also interesting to examine the average secrecy rate given by 

-Rs = (1 — 'Pout(-Rs)) • Rs 

The average secrecy rate Rs is a function of Alice's target instantaneous secrecy rate Rs, so that Alice is 
in principle able to optimize the target instantaneous secrecy rate to maximize the average secrecy rate 
(see Fig. O. Fig. [70| compares the optimum average secrecy rate in the case of Rayleigh fading channels 
to the secrecy capacity of AWGN channels. It is interesting to observe once again that there is a positive 
secrecy rate in a Rayleight fading channel even when the average SNR in the main channel is lower than 
that in the eavesdropper channel. 
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Fig. 7. Normalized outage secrecy capacity versus ^j^, for selected values of 7,^, and for an outage probability of 0.75. 
Thinner lines correspond to the normalized outage secrecy capacity in the case of the Rayleigh fading channels, while thicker 
lines correspond to the secrecy capacity of the Gaussian wiretap channel. Normalization is effected with respect to the capacity 
of an AWGN channel with SNR equal to 7^1^ . 



IV. Performance Analysis with Perfect and Imperfect CSI on the Eavesdropper's 

Channel 

In this section, we move from the paradigm where the legitimate transmitter (Alice) knows nothing 
about the state of the eavesdropper's channel to one where Alice knows the state of the eavesdropper's 
channel partially or even perfectly. However, we still assume that the legitimate transmitter and receiver 
know the state of the main channel perfectly and that the eavesdropper also knows the state of the 
eavesdropper channel perfectly (see Section |II1)- 

We model Alice's estimate of Bob's channel as 

where h m is the estimate fading coefficient of the main channel and is the true fading coefficient of 
the main channel. Thus, the estimate main channel instantaneous SNR is equal to the true main channel 
instantaneous SNR, that is 

7m = 7m- 
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Fig. 8. Normalized outage secrecy capacity versus outage probability, for selected values of 7jy^ and Thinner lines correspond 
to the normalized outage secrecy capacity of the eavesdropper's Rayleigh fading channel, while thicker lines correspond to the 
secrecy capacity of the Gaussian wiretap chaimel (in the last two cases this capacity is zero). Normalization is effected with 
respect to the capacity of an AWGN channel with SNR equal to 



We also model Alice's estimate of Eve's channel as 

where hw is the estimate fading coefficient of the wiretap channel, hw is the true fading coefficient of 
the wiretap channel and 6w is a circularly symmetric complex Gaussian random variable with mean zero 
and variance fj^ per dimension. Thus, the true value and the estimate of wiretap channel instantaneous 
SNR may be different, that is 

iw 7^ iw- 

In this new scenario, we will assume that Alice always sets the instantaneous information transmission 
rate to be equal to the instantaneous secrecy capacity estimate Cg of the channel where 

Cm — Cw if Cm > Cw 
if Cm < Cw 

and Cm = log(l + 7a/) is the instantaneous main channel capacity estimate and Cw = log(l + ^w) is 
the instantaneous wiretap channel capacity estimate. We will now characterize the fundamental secrecy 
limits when Alice knows the state of the eavesdropper's channel both imperfectly and perfectly, including 
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Fig. 9. Normalized average secrecy rate versus normalized instantaneous secrecy rate, for selected values of 7j,^ and 
Thinner lines correspond to the normalized average secrecy rate of Rayleigh fading channels, while thicker lines correspond to 
the secrecy capacity of the Gaussian wiretap channel (in the last two cases this capacity is zero). Normalization is effected with 
respect to the capacity of an AWGN channel with SNR equal to jj^j. 



the probability of a secrecy outage, the average secure throughput (from Alice to Bob) and the average 
leaked throughput (from Alice to Eve). 

A. Imperfect Knowledge of CSI of Eavesdropper's Channel 

In this situation, Alice conveys information to Bob at a rate Rs = Cg using a wiretap code designed 
for the operating point {Cm,Cw) = {Cm,Cw), when Cm > Cw- If Cw > Cw (i-e-, Cs < Cs) 
transmission in perfect secrecy is guaranteed, that is, a secrecy outage does not occur. Otherwise, if 
Cw < Cw Cs > Cs) transmission in perfect secrecy cannot be guaranteed, that is, a secrecy outage 
occurs. It is now relevant to characterize the probability of a secrecy outage. 

Theorem 2: The probability of a secrecy outage is upper bounded by 

1 1 1 

Proof: The probability of a secrecy outage is given by 

Vout = ViCw < Cm,Cw < Cw) = 'Pilw < lM,lw < iw) = 'Pi'lw < ■min{-iM,lw)) 
Consequently, the probability of a secrecy outage is upper bounded by 

^out = Vi'^w < min{jM,7w)) < 'Pilw < iw) 
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Fig. 10. Normalized average secrecy rate versus ^j^j, for selected values of Thinner lines correspond to the normalized 
average secrecy rate in the case of Rayleigh fading channels, while thicker lines correspond to the secrecy capacity of the 
Gaussian wiretap channel. Normalization is effected with respect to the capacity of an AWGN channel with SNR equal to y^. 



Now, V{'yw < Iw) can be written as follows 

/•oo 

V{^w < iw) = / Vi^w < lwhw)p{lw)d'yw 



where pijw) is the probability density function of 7^4/ (see Moreover, V{'yw < Iwhw) can also 
be written as follows 



V{^w < iwhw) = / p{lw\lw)d'yw 
Jo 



where pijwllw) is the probability density function of conditioned on 714/. This probability density 
function is non-central with two degrees of freedom, i.e. 



P\nw\lw) = izz — 2^ ~ — T~ ' 



7vy > 



where /o(-) is the zeroth-order modified Bessel function of the first kind [30]. Thus, the probability 

'Pilw < iwhw) reduces to 

where Qi(-, •) is the generalized Marcum Q function [30]. Moreover, using standard results for integrals 
involving the generalized Marcum Q function [31], the upper bound to the outage probability reduces to 
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It is also relevant to characterize two other quantities with operational significance: the average secure 
throughput (or average secrecy rate) and the average leaked throughput. These quantities correspond 
to the average of the instantaneous secure throughput and the instantaneous leaked throughput over 
every possible realization of the main channel and the eavesdropper's channel. Now, the average secure 
throughput is lower bounded by the average of the transmission rate over instances where the secrecy 
capacity estimate is lower than the true secrecy capacity, i.e. 



Jo 

In turn, the average leaked throughput is upper bounded by the average of the transmission rate over 
instances where the secrecy capacity estimate is higher than the true secrecy capacity, i.e. 



These quantities will be characterized numerically due to the difficulty in determining closed-form 
expressions. 

A number of comments on the behavior of the various performance measures are now in order. Fig. [77] 
shows that the upper bound to the outage probability is considerably tight in a regime where the average 
SNR of the main channel is greater than the average SNR of the eavesdropper channel. More importantly, 
the outage probability is a monotone decreasing function of the variance of the channel estimation error, 
so that for cr^ > the higher the variance of the channel estimation errors the lower the outage probability. 

This counterintuitive result is based on the fact that for moderate values of the variance of the 
channel estimation error Alice tends to consistently underestimate the secrecy capacity of the system. 
Consequently, the attempted instantaneous transmission rate is consistently lower than the instantaneous 
secrecy capacity so that the outage probability is also lower. This in turn results in a lower average secure 
throughput and a lower average leaked throughput as shown in Fig. \T2\ and Fig. [721 

Yet, of extreme relevance is the fact that even in the presence of channel estimation errors it is possible 
to convey information in a secure manner over a wireless environment (that is, with an average secure 
throughput substantially greater than the average leaked throughput) provided now that the average SNR 
of the main channel is greater than the average SNR of the eavesdropper channel (cf. Fig. [72] and Fig. [7?] ). 

B. Perfect Knowledge of CSI of Eavesdropper's Channel 

In this situation, Alice conveys information to Bob at a rate Rs = Cg = Cg using a wiretap code 
designed for the operating point {Cm,Cw) = {Cm,Cw), so that a secrecy outage never occurs. It 
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Fig. 11. Outage probability versus for 7^. — 10 dB, and for selected values of a^. Thicker lines correspond to the upper 
bound to the outage probability while thinner lines correspond to the true outage probability. 



follows that the average secure throughput (average secrecy rate) is 

POO 

Rs= / RsdFcXRs), 
Jo 



where 



FcARs) = V{Cs <Rs) = l- - Jofl- 



and the average leaked throughput is zero. 

Fig. [73] compares the average secrecy rate in a "wiretap" Rayleigh fading channel to the secrecy 
capacity in the classic wiretap Gaussian channel. Strikingly, one observes that the average secrecy rate in 
the fading channel is indeed higher than or close to the secrecy capacity in the Gaussian channel. One also 
observes that, in contrast to the situation in the Gaussian channel, the average secrecy rate in the fading 
channel is non-zero even when the average SNR of the main channel is lower than the average SNR of 
the eavesdropper channel. These observations underline once again the potential of fading channels to 
secure the transmission of information between two legitimate parties against a possible eavesdropper. 

^Note that the expression for the cumulative distribution function of the instantaneous secrecy capacity is exactly the same 
as the expression for the outage probability in l|7j. 
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Fig. 12. Normalized average secure throughput versus 7^,^^ for — 10 dB, and for selected values of a^. Normalization is 
effected with respect to the capacity of an AWGN channel with SNR equal to 'Jj^j. 

V. Information-Theoretic vs. Computational Security in Wireless Networks 

Due to the many fundamental differences between classical cryptography and information-theoretic 
security, it is useful to recognize what those differences are and how they affect the choice of technology 
in a wireless scenario. It is fair to state that classical cryptographic security under the computational 
model offers the following advantages: 

• there are so far no pubUcly-known, efficient attacks on public-key systems such as RSA, and hence 
they are deemed secure for a large number of applications; 

• very few assumptions are made about the plaintext to be encoded, and security is provided on a 
block-to-block basis, meaning as long as the cryptographic primitive is secure, then every encoded 
block is secure; 

• Systems are widely deployed, technology is readily available and inexpensive. 

On the other hand, we must consider also the following disadvantages of the computational model: 

• Security is based on unproven assumptions regarding the hardness of certain one-way functions. 
Plaintext is insecure if assumptions are wrong or if efficient attacks are developed; 

• In general there are no precise metrics or absolute comparisons between various cryptographic 
primitives that show the trade off between reliability and security as a function of the block length 
of plaintext and ciphertext messages - in general, the security of the cryptographic protocol is 
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Fig. 13. Normalized average leaked throughput versus 7^,^ for 7^^, — 10 dB, and for selected values of a^. Normalization is 
effected with respect to the capacity of an AWGN channel with SNR equal to 'JJ^J. 



measured by whether it survives a set of attacks or not; 

• In general, these will not be information theoretically secure if the communication channel between 
friendly parties and the eavesdropper are noiseless, because the secrecy capacity of these application- 
layer systems is zero; 

• State-of-the art key distribution schemes for wireless networks based on the computational model 
require a trusted third party as well as complex protocols and system architectures [32]. 

The advantages of physical layer security under the information-theoretic (perfect) security models can 
be summarized as follows: 

• No computational restrictions are placed on the eavesdropper; 

• Very precise statements can be made about the information that is leaked to the eavesdropper as a 
function of channel quahty and blocklength of the messages [11]; 

• Has been realized in practice through quantum key distribution [33]; 

• In theory, suitably long codes used for privacy amplification can get exponentially close to perfect 
secrecy [11]; 

• Instead of distributing keys it is possible to generate on-the-fly as many secret keys as desired. 

In contrast, we have to take into consideration the following disadvantages of information-theoretic 
security: 
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Fig. 14. Normalized average secrecy rate versus 7J^^, for selected values of Thinner lines correspond to the normalized 
average secrecy rate in the case of Rayleigh fading channels, while thicker lines correspond to the secrecy capacity of the 
Gaussian wiretap channel. Normalization is effected with respect to the capacity of an AWGN channel with SNR equal to y^. 



• Information-theoretic security is an average-information measure. The system can be designed and 
tuned for a specific level of security - e.g. with very high probability a block will be secure, but it 
may not be able to guarantee security with probability 1; 

• Requires assumptions about the communication channels that may not be accurate in practice. In 
many cases one would make very conservative assumptions about the channels. This will likely result 
in low secrecy capacities and low secret-key or -message exchange rates. This gives extremely high 
security and reliability, but at low communication rates; 

• A few systems (e.g Quantum Key Distribution) are deployed but the technology is not as widely 
available and is expensive; 

• A short secret key is still required for authentication [9]. 

In light of the brief comparisons above, it is likely that any deployment of a physical-layer security 
protocol in a classical system would be part of a "layered security" solution where security is provided at 
a number of different layers, each with a specific goal in mind. This modular approach is how virtually 
all systems are designed today, so in this context, physical-layer security provides an additional layer of 
security that does not exist today in classical systems. 



24 



VI. Conclusions 

We provided a preliminary characterization of the outage secrecy capacity of wireless channels with 
quasi-static fading. Specifically, we assumed that Alice — having access to the CSI of the main channel 
only — chooses a target secrecy rate Rg (without knowing the wiretap channel) and we investigated the 
outage probability defined as V{Rs > Cg)- Our results reveal that (a) perfectly secure communication over 
wireless channels is possible even when the eavesdropper has a better average SNR than the legitimate 
partners, and (b) the outage secrecy capacity of wireless channels can actually be higher than the secrecy 
capacity of a Gaussian wiretap channel with the same averaged SNRs 7j\/ and jyy. Furthermore, we 
analyzed the impact of imperfect channel state information on the outage probability and the outage 
secrecy capacity. In particular, we have demonstrated that even in the presence of imperfect CSI it is 
possible to convey information in an almost secure manner, that is, with an average secure throughput 
substantially greater than the average leaked throughput. 

Suppose now that Alice has access to CSI on both the main channel and the eavesdropper's channel. 
This is the case, for example in a Time Division Multiple Access (TDMA) environment, when Eve is 
not a covert eavesdropper, but simply another user interacting with the wireless network, thus sending 
communication signals that allow Alice to estimate the CSI of the channel between them. A natural 
way for Alice to exploit the available CSI on both channels to achieve secrecy is by transmitting useful 
symbols to Bob only when the instantaneous SNR values are such that the instantaneous secrecy capacity 
is strictly positive {jm > Jw)- 

This observation thus suggests an opportunistic secret key agreement scheme for wireless networks 
— even when the outage probability is very high, the available secrecy capacity is still likely to enable 
Alice and Bob to generate an (information-theoretically secured) encryption key that could then be used 
to secure the data exchange while the system is in outage of secrecy capacity. Implementing such a 
scheme is the goal of Part II of this paper. 
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